March 2017

Mar 28, 2017

Our interview is with Michael Daniel, former Special Assistant to the President and Cybersecurity Coordinator at the White House and current President of the Cyber Threat Alliance. We ask Michael how the new guys are doing in his job, what he most regrets not getting done, why we didn’t float thumb drives filled with “The Interview” into North Korea on balloons, and any number of other politically incorrect questions. His answers are considerably more nuanced.

I note that the privacy zealots of Silicon Valley have fatally miscalculated the kind of support they’ll get in Europe for end-to-end encryption. Face it, guys, Europe hates you no matter what you do, and they’ll happily impose massive fines both for violating user privacy and for protecting it too well.

Does GCHQ spy on Americans for NSA? Nope. The real question is whether Rick Ledgett, number 2 at NSA, has already stopped sounding like a government employee when he talks to the press.

Mar 23, 2017

Having trouble understanding what President Trump and Rep. Nunes are banging on about? Try putting the shoe on the other foot…

It’s 2020. Kamala Harris finishes a close second in New Hampshire, beating expectations that Elizabeth Warren would sweep her neighboring state (and its shared media market). Harris roars into South Carolina, where she suddenly leads in the polls with a message of repudiating what she calls the Trump administration’s dangerous foreign brinksmanship.

Whatever you call it, you can’t call it dull. President Trump has forced Iran to renegotiate the nuclear deal by the simple expedient of expanding US sanctions to include the seizure and impoundment of any tanker carrying Iranian oil. The oil market remains stable, buoyed by record US oil and gas production. But the move prompts a diplomatic rupture and some tense maritime confrontations with India and China. Undeterred, the President says North Korea is next in line for what he calls, “Sanctions that work. Unlike the last guy’s. Not a leader!”

But it will only take one foreign mishap to make Harris tough to beat. She’s fresh and virtually untouched by Warren’s surprised oppo research team. The Trump team vows that it won’t be caught similarly flat-footed.

In July, the intelligence community picks up rumors that intelligence services from Iran, North Korea, and China are working together to ensure a Harris victory in November.

The President erupts at an NSC meeting. “This is intolerable! I want to know everything about foreign interference in our election – and whether any Americans are colluding with Iran. This is a top priority for all of our counterintelligence agencies.”

Attorney General Sessions approves FISA wiretap applications for every known or suspected Iranian foreign agent, with special focus on anyone known to have contacted the Harris campaign. The surveillance reveals that Harris campaign officials talked regularly to Iranian agents and even asked for help in formulating her famous “I will prosecute the President as a war criminal” speech.

The FBI circulates the transcripts to the National Security Council and high-ranking White House officials. The identities of Harris campaign staff are initially “masked”, but many officials, including Steve Bannon, insist on knowing the names “to determine how deeply Iran’s influence operation has penetrated the Harris organization.”

Within weeks, there is a swirl of public speculation about Harris and Iran, but she successfully rejects it as a “diehard Warren delusion.” With more passion than grammar, her top foreign policy adviser denies the rumors “categorically and irrefutably.“

The nominating convention is a love fest. Three weeks later, transcripts of the Harris foreign policy guru’s conversations with Iranian operatives are leaked by government sources. Within a day, bumper stickers appear, saying, “Was it treason? Categorically and irrefutably!”

With that as her introduction to the American public, Harris’s campaign sputters and collapses.

***

Faced with that scenario, who thinks the press would be mocking Harris’s claim that her campaign was wiretapped by its enemies? So why are reporters mocking Trump’s?

Fact is, there’s a very real problem at the bottom of President Trump’s complaints. The Obama administration decided to conduct what was bound to be one-sided surveillance. Any evidence the investigators turned up would hurt the President’s adversary, not his side. The same would be true of any leaks. And widespread distribution of intelligence from the investigation would dramatically increase the risk that his adversary will be hurt by leaks. If you’re the President, or anyone in his administration, what’s not to like?

Who made the decision to expose the Trump campaign to this scrutiny and the risks that came with it? Thanks to FISA, national security surveillance decisions must be made mainly by political appointees. This is meant to be a protection for civil liberties but it’s the reverse in a partisan context. I’m sure that the Trump campaign would rather have had the decision to launch a FISA tap made by the first two names in the DOJ phone book than by Loretta Lynch and Sally Yates. (I realize that Team Trump is now focusing more on surveillance of what might be called “institutional foreign agents” – people who don’t hide their allegiance to foreign nations. The Mike Flynn transcript may have come from such surveillance, as may much of the other “incidental” collection of Trump campaign contacts that Rep. Nunes briefed the President on. Such surveillance goes on with or without an investigation, but distribution of the product would likely be wider once an investigation is opened.)

All that said, appreciating the force of President Trump’s concerns does not mean we shouldn’t have done the investigation. In my view, we have no choice but to investigate and respond aggressively when other countries interfere with our elections. But we also ought to recognize and take action to limit the partisan temptations that such investigations will inevitably offer. Because if anything is utterly predictable about the 2020 election, it’s that foreign governments will try to influence it and that partisan passions will be high. So the surveillance shoe is going to be on someone’s foot in 2020. Ditto for 2024 and 2028 and 2032…

So we might as well try to draw some lessons from the Trump team’s unhappiness instead of pretending that their grievances are entirely illegitimate. Without being able to offer a grand solution, I can think of things that would ameliorate the risk. Maybe the government should be required to identify in advance national security investigations likely to have an impact on political officials or candidates and take special steps to depoliticize them. Perhaps political appointees should recuse themselves from the decision to launch such investigations. And the anonymity of US persons who are also surveilled in such investigations could be protected by special limits on distribution of the masked intelligence and by requiring special assurances from those who want to unmask US persons.

I can’t pretend that these are the only or the best ways to address the problem I see. Turning these decisions over to career people does nothing for those who buy the Deep State meme – or the presumption that civil servants mostly vote Democratic. And after all is said and done, these are minor tweaks, not strong protections against abuse. But at least they’d reduce the risk that Americans will end up in a circular surveillance firing squad every four years.

Mar 21, 2017

Episode 155 of the podcast offers something new: equal time for opposing views. Well, sort of, anyway. In place of our usual interview, we’re running a debate over hacking back that CSIS sponsored last week. I argue that US companies should be allowed to hack back; I’m opposed by Greg Nojeim, Senior Counsel at the Center for Democracy & Technology and Jamil Jaffer, Vice President for Strategy & Business Development of IronNet Cybersecurity. (Jeremy Rabkin, who was supposed to join me in arguing the affirmative, was trapped in Boston by a snowstorm.)

In the news, we can’t avoid the unedifying – and cynical on both sides – spat between press and White House over wiretapping. We then turn to legal news, where I note the DC circuit’s adoption of a cursory and unpersuasive reading of the Foreign Sovereign Immunities Act in the context of state-sponsored hacking of activists in the United States.

Maury Shenk next unpacks the latest ECJ opinion refusing to apply the “right to be forgotten” across the board to government databases. So far, the only clear application is to American tech giants. That’s also true of the latest German proposal to make the internet safe for censors, government and nongovernment alike. As Maury explains, the German Justice Minister is proposing fines up to $50 million for tech giants that don’t censor online speech fast enough or hire enough European private censors to keep up with the workload.

The Justice Department’s indictments in the Yahoo! hack show just how remarkably intertwined Russian intelligence and Russian cybercrime have become.

Alan Cohn and I chew over the latest developments in the new administration’s approach to cybersecurity – a determination to cripple botnets more effectively, and a willingness to exempt DHS cyber programs from what looks like a drastic set of budget cuts for nondefense agencies. Whether the administration can make progress on botnets while sticking to voluntary measures is uncertain; equally uncertain is whether the plus-ups for DHS cyber reflect real satisfaction with the agency’s performance of that mission in recent years.

Finally, Maury and I ask whether the German government is surrendering to reality in pursuing more effective video surveillance of possible criminals and terrorists.

Mar 14, 2017

In this week’s episode, we ask two former NSA cybersecurity experts, Curtis Dukes and Tony Sager, both now from the Center for Internet Security, what advice they give family members about how to keep computers, phones, and doorbells safe from hackers.

Joining us for the news round-up is Carrie Cordero, a Washington lawyer and adjunct professor of Law at Georgetown University who focuses on national security law, homeland security law, cybersecurity and data protection issues.

Stephanie Roy reports that the FCC is investigating a 911 outage at AT&T; so far the agency has been tight-lipped about the details.

Home Depot is nearing the finish line in its data breach ordeal, Jennifer Quinn-Barabanov reports. The banks that had to reissue credit cards were among the last holdouts; they’re getting $25 million, which sounds like a lot until you do the math and realize it’s two bucks a card.

Jennifer tells us that another defense effort to moot a TCPA class action by picking off a named plaintiff has been thwarted – this time by the Second Circuit.

Tom Graves (R-GA) has introduced a hackback defense to CFAA liability. Markham and I trade barbs over the wisdom of allowing hackback defenses, but we reach agreement on the depth of Uber’s greyballing problems – and the risk that more companies will use big data to disfavor some customers without telling them.

Carrie reports on developments in the FBI-Geek Squad imbroglio, and I mock the reporters who bought the deeply unappealing defendant’s claim to be a civil liberties victim.

Last, and well worth the wait, Jennifer and I update our listeners on the latest in CyberSexToy privacy. Turns out the records of your, er, interactions with your internet-enabled vibrator can be compromised for a surprisingly low settlement price. Maybe today is the day we really ought to call time of death for internet privacy.

Mar 06, 2017

In this episode, Matt Tait, aka @PwnAllTheThings, takes us on a tour of Russia’s cyberoperations. Ever wonder why there are three big Russian intel agencies but only two that have nicknames in cybersecurity research? Matt has the answer to this and all your other Russian cyberespionage questions.

In the news, we mourn the loss of Howard Schmidt, the first cyber czar and one of the most decent men in government. Then we descend into the depths of the Trump wiretap story. I reprise some of my views from Lawfare. Michael Vatis is not persuaded.

Maury Shenk is now our official commentator on the legal consequences of Internet-enabled toys. This time it’s teddy bears, whose interactions with children and parents were exposed by hackers.

More seriously, Maury praises an impressive new analysis of China’s 50c army of tweeters. It turns out that everything we thought we knew about the 50c army is wrong.

Just in time for an early spring, we have harbingers of the coming fight over reauthorization of the 702 intercept program. Director of National Intelligence candidate Coats promises to put a number on the US persons whose communications are caught up in the program; the Electronic Frontier Foundation (EFF) and other NGOs turn on both the US government and Silicon Valley to urge that Privacy Shield be held hostage to changes in the program. And the incoming Commerce Secretary, Wilbur Ross, endorses Privacy Shield, a move that may validate EFF’s tactics.